Re: [Openvpn-users] Bridge problem

so it means that we are both doing the same stupid mistake or that this howto
on openvpn.net page is just crap But how one could publish it when it doesn't
work?

Well, I think the documentation is very good and points you in the right
direction, but as always with complex tools like VPNs you need a good
knowledgle about IP networking and be able to troubleshot and draw your
own conclutions about a perticular problem. If you don't have this basic
knowledge I'd recommend you pay someone todo it for you. After all, it's
a security application you're working with here so if you don't understand
it fully you risk exposing your complete network...

Please don't complain about the documentation. If you buy a commersial
product, complain as much as you want. With an opensource product, use the
documentation as it is, then use your own brain, and when you have found
something that could have been documented better supply a patch with your
enhanced version.

There is one thing that I don't understand, and maybe You could explain it to
me. In Ethernet Bridging Notes on this page: http://openvpn.net/bridge.html
they wrote:

The addresses used for local and remote should not be part of the bridged
subnet -- otherwise you will end up with a routing loop.

What does it exactly mean? Could someone send an example please?

Draw a picture of what you're trying to acomplish and you will probably
understand what it means. In short words, don't tell your OpenVPN client
to connect to an OpenVPN server on an IP address that belongs to the local
network that you will be bridging across the network.

And for Daniel, in you orignal post you wrote:

At the moment, I've setup the bridge-start/stop scripts from the Howto
page, referencing "br0", "tap1" (because tap0 is currently used by a
working VPN), and "eth1", with IP 66.56.54.62. So I'm bridging with the
external interface and IP - is that correct?

No, this is not correct, you should bridge tap1 with your LOCAL interface.

Just try to think logical. You have made your OpenVPN client use an IP
address directly out of your local network. When he tries to ping a
machine on the local network, this ping will be encrypted by OpenVPN and
sent to the OpenVPN server over the public internet. Then when it arrives
on your server, it will be decrypted and sent out on tap1 (as that's the
interface you have specified in your openvpn server config).

Now what do you want to happend with this packet?? Do you want it briged
with your external interface so it will be forwarded back out there
un-encrypted? No, ofcource not, you want it forwarded to your local
physical interface (eth0?) so it can reach the machine you were trying to
ping. So, bridge it with your local interface.

Here's how I bring my interfaces up before starting OpenVPN on my servers: